agile risk management - re-engineering risk solutions to enable
TRANSCRIPT
Agile Risk ManagementRe-Engineering Risk Solutions to Enable Business Strategies
PROTIVITI • AGILE RISK MANAGEMENT | 1
Executive SummaryThe global financial crisis has forced financial services firms to operate in an intensely complex and challenging environment. As the global economy remains uncertain, causing pockets of volatility to flare up regularly in the increasingly unpredictable financial markets, and as technology companies disrupt the market, competition is fiercer than ever. In addition, overarching these difficult operating conditions is an ever-increasing regulatory burden.
In such an environment, firms must have confidence in their ability to navigate these challenges in order to deliver value to shareholders and stakeholders. Agile, responsive and dynamic risk management and compliance systems are key enablers to success.
Agility is built on dedication to a three-point foundation: an aligned organization permeated by clarity, collaboration and convergence; operational excellence based on strategy informed by foresight and enhanced by transparency; and customer satisfaction enabled by a customer-centric focus on design and development throughout the enterprise.
This paper introduces a new Agile Risk Management philosophy that will enable proactive organizations to take the lead in adopting an agile approach to risk management to better meet the challenges of today’s operating environment.
2 | AGILE RISK MANAGEMENT • PROTIVITI
RISK AND COMPLIANCE CHALLENGES
Emerging from the global financial crisis, organizations have failed to keep pace with changing trends in risk and compliance. Resource allocation for risk and compliance initiatives implemented immediately following the crisis to demonstrate urgency and prioritization to regulators has proven to be unsustainable.
“Firefighting” projects have diverted funds from areas such as customer-facing upgrades and critical investment in creaky legacy systems and have increased the overall cost structure for risk and compliance, restricting business growth. Attempts to effectively build complex processes on inadequate infrastructure have increased head count and slowed down critical processes. Meanwhile, as firms fight fires, they are losing sight of the real benefit of risk management: looking ahead to identify threats and opportunities.
Paradoxically, the increase in spending on risk and compliance initiatives since the crisis has taken place in a period marked by sustained organizational cost-cutting initiatives. While firms continue with their cost-cutting efforts, some that have imposed cuts for several consecutive years are now realizing that they will soon maximize the savings they can derive from straight cost-cutting and that they will need to shift their focus to growth and innovation.
Responding to risk and compliance gaps over the years has left the financial services industry in an unsustainable situation
Growth and innovation have been forced to take a back seat given risk and compliance challenges.
Large bank fines have topped $200B over the past five years.
Operating costs have become unsustainable as quick-fix solutions and increasing headcount are the norm to improve risk management practices.
Inherent risk continues to rise given the underlying business complexity and increased pace of change.
Unsustainable Costs
Significant Fines$200B
Inherent RiskGrowth and
InnovationRisk and
Compliance
PROTIVITI • AGILE RISK MANAGEMENT | 3
In this new environment, boards of directors and senior management need to recognize that current spend on risk and compliance efforts has to be arrested and/or start to shrink while also providing added business value.
“Many organizations are beginning to change their vision for risk management,” says Cory Gunderson, who leads Protiviti’s Global Financial Services Industry practice. “The risk function is moving away from being a control checker and referee to an enabler of business performance by driving a single approach for risk management and taking full responsibility for improving the risk culture of the organization.
“Leading practices in risk management suggest that taking a more agile approach allows improved business performance and anticipation, along with increased transparency. This approach also enables consistent profitability and optimized costs to unlock the true value of risk management.”
All those in risk management and compliance roles will need to maximize the resources they have to remain effective. The prevailing model, in which control functions, including the first, second and third lines of defense, tend to be siloed, manual and reactive, is exacerbating the problem. Too often, these functions employ a reactive find-and-fix model, which expends time and resources firefighting immediate issues, such as regulatory actions or internal audit findings within their individual risk silos, rather than working collaboratively on value-added activities such as risk identification and mitigation.
This is not a recent phenomenon. Risk is stuck in a reactionary cycle, where risk and compliance breakdowns are consuming valuable time and resources that could be deployed elsewhere to enable growth and innovation within the business. For risk management to evolve, this cycle needs to be broken; firms that are constantly fighting fires cannot deal with emerging risks and issues.
Firms have recognized that they need to become more efficient in managing risk, compliance and internal audit requirements. Some have made advances in ensuring the control functions work more closely together, but generally, processes still take too long and are mostly manual, with risk management and compliance activities remaining detective rather than preventative.
Likewise, point-in-time solutions for improving risk management, including regulatory compliance, are no longer adequate for firms seeking to create a more effective and efficient risk framework; risk solutions must be agile. The crises of tomorrow will be different from the crises of the past – they will require agile and effective risk management and compliance functions that can move away from constantly analyzing and reviewing historical information to forecasting future horizons. Equally, risk management and compliance must operate more like business functions to provide value through being agile, responsive and more forward-looking to help enable success for the business.
The time has come for proactive organizations to take the lead by adopting an Agile Risk Management framework to better meet the challenges of today’s customers, shareholders and employees, and of the risk and regulatory environment.
4 | AGILE RISK MANAGEMENT • PROTIVITI
THE SOLUTION
In a fast-changing regulatory and business environment, the key capability for firms to develop is agility. The ability to react rapidly to new regulations, adapt old products or launch new ones in new markets and enhance customer satisfaction with the rapid adoption of new technologies is essential in today’s financial marketplace.
Adopting an Agile Risk Management philosophy requires the use of risk as an enabler to foster real business benefits. Today, risk is viewed as an obligation; tomorrow, risk can enable increased profits and higher customer satisfaction. If risk is addressed up front in the design of products and services and embedded into the fabric of business processes, it lays the foundation for flawless execution and higher customer satisfaction.
What Is Protiviti’s Agile Risk Management Philosophy?
Agile Risk Management aims to maximize the value of risk management to an organization. This starts with the foundation of a comprehensive risk (and compliance) management program, represented in the building blocks below. It is this solid foundation that prepares the firm for a transformation into Agile Risk Management, which focuses on how risk management building blocks can be embedded and designed within business processes. This eliminates short-term, manual solutions, as well as siloed practices and processes, where risk data is unavailable or risk cannot be effectively measured. An example of a target state operating model is depicted below showing the building blocks that enable risk to be managed seamlessly, proactively and easily through a generic business process.
While the building blocks on their own are not revolutionary, when the philosophies of Agile Risk Management – operational excellence, customer satisfaction and an aligned organization – are used to improve these building blocks, organizations can realize tremendous value from risk management in a cost-effective and efficient manner.
The value of Agile Risk Management centers on putting the customer first and providing consistent customer experiences. For the organization, the agility provided by following this philosophy allows optimized performance, freeing up management time and resources to focus on growth realized through taking risk-enabled decisions.
PROTIVITI • AGILE RISK MANAGEMENT | 5
Operational�Excellence
Risk Management
AlignedOrganization
Customer�Satisfaction
Protiviti Agile Risk Management Philosophy
Value of Agile Risk Management
• Customer centricity• Consistent experiences• Agility• Optimized performance• Focus on growth• Risk-enabled decisions
6 | AGILE RISK MANAGEMENT • PROTIVITI
Every organization is at a different stage of maturity and is working to improve its risk management function. In our experience, typical strategies exist to ensure that those essential foundational elements are present to execute risk management activities effectively, providing quick wins for firms to build on and use to motivate their journey to a more agile state. We provide a process for how firms can move into an Agile Risk Management target state through a subset of risk management building blocks.
Target State Operating Model – Agile Risk Management
Uni
fied
Proc
ess
Bui
ldin
g B
lock
s
Strategy Define Assess Implement Sustain
Market Opportunity
1 Risk Informed
Strategy
2 Compliance
Requirements Inventory
5 Risk Identification and
Assessment
6 Risk in Design
9 Aligned Reporting and Actionable Analytics
10 Quality Data and Governance
11 Integrated Risk Technology
7 Process
Management, Monitoring and Testing
3 Risk
Governance Framework
8 Issue
Management
4 Accountability and Incentives
Define Enterprise Standards
Define Risk Appetite
Identify Inherent
Risks
Identify Risks Greater Than
Appetite
Define Products
and Services
Define Performance
Needs
Identify Impacted Processes
Design Process
Communicate to
Stakeholders
Implement Process
Ensure Initial Performance
Achieved
Ensure Process
Adherence
Operate
Perform Continuous
Improvement
PROTIVITI • AGILE RISK MANAGEMENT | 7
Protiviti’s Agile Risk Management Philosophy
Aligned Organization
Elements of Target State Benefits
• Defining business strategy with consideration from control partners
• Clear accountability for risk management; business owns the risk and control partners are appropriately empowered
• Risk and business process convergence• Appropriately resourced and skilled organization• Embedded risk culture throughout the organization that
encourages collaboration and escalation• Risk-enabled decisions aligned to risk appetite• Continuous engagement between control partners and
front-line business units
• Increased organizational capacity to focus on growth and adding market share
• Reduced duplication and rework• Less stress on business stakeholders• Ability to move faster when introducing products or
changes to processes• Enhanced reporting and analytics that enable customer
service and growth
Operational Excellence
Elements of Target State Benefits
• Successfully executed business strategy• Efficient processes and risk agility• Optimized technology• Promotion of risk management that is built into the design
of processes, technology and products• Propensity toward risk prevention versus detection• Transparency that reduces redundancy• Robust process adherence and management
• Increased customer and employee satisfaction• Faster business processes that create competitive advantages• Optimized resource utilization• Streamlined data flow and decreased time to availability –
single source of truth for data• Risk-designed products and services• Simplified reporting and analysis focused on achieving
business objectives within risk appetite limits• Continuously improving technology-enabled processes
and controls
Customer Satisfaction
Elements of Target State Benefits
• Risk management as the driver for consistent customer experiences
• Customers’ needs considered in the design of processes, products and services
• Customer-oriented risk metrics that support informed marketing plans and customer interactions
• Customer-centric focus across the organization• Customer focus that enables enterprise strategy
development and enhances the risk management vision
• Increased loyalty when customers know what to expect; reduction in “surprises”
• Simplified servicing that allows for ease of doing business for the customer and employees
• Faster-developed products that meet customers’ demands• Improved processes and controls that enable the business
to increase market share while protecting the customer• Tailored product and service solutions that fit customer
profiles and drive profitability• Enhanced insight into customers through shared risk data
and analytics
8 | AGILE RISK MANAGEMENT • PROTIVITI
WHAT DOES AN AGILE RISK MANAGEMENT MODEL LOOK LIKE RELATED TO ISSUE MANAGEMENT?
Adopting an Agile Risk Management philosophy does not need to be a lengthy project spanning several years; firms working to become a more agile organization are able to realize benefits relatively fast. One area that can be improved rapidly is issue management.
Too often, response in the financial services industry is reactive. Firms tend to react to issues such as complaints, regulatory actions or internal audit findings individually to stanch the immediate cause of the issues raised. However, for the majority of firms, a broader and more effective analysis of root cause is not conducted. As a result, firms are often faced with very similar issues soon after the initial problem that, with hindsight, could have been prevented if the cause of the original issue had been mitigated more effectively at the time.
Strategy
Develop a uniform, end-to-end issue management process to be used by front-line business.
Integration
Identify all sources of issues and implement a technology platform to create a single “system of record” for all enterprise issues.
Change Management
Incorporate a flexible structure to connect issue management with the firm’s culture.
Validation
Create a process for issue closure featuring detailed closure criteria and procedures to maintain accountability.
Normalization
Embed issue management into the standard operations of the institution as a continuous and fundamental practice in which people actively engage as part of business routines.
Benefit: Organizational Alignment – When a standardized process, incentives and norms are established to encourage proactive management of issues, all personnel begin to recognize the importance of issue management in achieving business objectives.
Benefit: Operational Excellence – When an enterprise moves to a single source of record, all enterprise issues can be inventoried and tracked in an efficient manner. Duplication of issue management efforts is reduced.
Benefit: Customer Satisfaction – Proper root cause analysis and issue validation reduce the chance of issue recurrence, leading to improved controls, processes and, ultimately, customer experiences.
PROTIVITI • AGILE RISK MANAGEMENT | 9
Issues are systemically tied to business processes, systems and controls. When there is a breakdown in one area, this can be easily identified in a unified process, which can then be used to identify links with other business processes that may have also been impacted by the same root cause to address the issue more comprehensively.
Taking a breach in customer data as an example, in addition to identifying what is impacted to evaluate the issue severity, an Agile Risk Management philosophy would manage the issue differently by using additional data to understand the impact on the relative profitability or characteristics of customers. Action plans for remediating the issue would face robust and critical challenge to ensure that the root causes have been comprehensively addressed.
Any action plan would also include a validation that those issues have been completely addressed and closed off. This approach to managing an issue allows for a thorough understanding of the exposure in a customer-centric fashion, allowing the firm to fix the issue correctly the first time and link the breach to other parts of the organization.
“ THE RESPONSE IN THIS INDUSTRY IS REACTIVE. WE FIGHT IN BITS TO STOP THE BLEEDING CAUSED
BY IMMEDIATE ISSUES, BUT WITHOUT CONDUCTING EFFECTIVE ROOT CAUSE ANALYSIS, WE FACE
THE SAME ISSUES A FEW MONTHS LATER. BY EXAMINING HOW AND WHERE BUSINESS PROCESSES
ARE LINKED TO SYSTEMS AND TO CONTROLS, WE CAN FIND ISSUES BEFORE THEY HAPPEN. AND BY
ENSURING ROBUST AND REALLY CRITICAL CHALLENGE, WE COMPREHENSIVELY ADDRESS THOSE ROOT
CAUSES RATHER THAN JUST STOPPING THE BLEEDING.”
MICHAEL BRAUNEIS, MANAGING DIRECTOR, PROTIVITI
10 | AGILE RISK MANAGEMENT • PROTIVITI
WHAT DOES AN AGILE RISK MANAGEMENT MODEL LOOK LIKE RELATED TO PROCESS MANAGEMENT?
Firms that seek to benefit from becoming more agile are able to realize benefits in a shorter window of time by focusing on one building block at a time. A good example of an area where many organizations can realize the benefits of Agile Risk Management is process management, monitoring and testing.
Often, process management, tools, methodologies and routines are not standardized across the first and second lines of defense, which hinders reliance and comparability and results in duplication. Process management that lacks a simple and well-understood taxonomy will fail to achieve both customer and risk management objectives and leave the organization exposed to issues, lost time and unsatisfied customers.
In many cases, there are no effective standards for identifying risks and designing controls as processes are designed or redesigned. Therefore, faulty design creates an environment where monitoring and testing is incomplete, reactive and ad hoc, and where business and risk managers do not use process risk and performance metrics or such metrics are not available.
• Clearly define performance metrics and expectations
• Map processes
• Draft a single set of standards for monitoring and testing
• Build a data warehouse for all monitoring and testing data
• Perform initial analysis of processes and controls to identify improvements
• Monitor and test process performance and risk against defined metrics
• Track and aggregate process monitoring in centralized warehouse and align to issue management and change management processes
• Ensure and measure the completeness and quality of process management against standards
• Provide reporting to key stakeholders on process adherence
• Assess technology solutions and system upgrades
Benefit: Aligned Organization – A single set of standards aligns the entire organization on expectations and practices for process management. Processes are managed consistently with business and risk management goals aligned.
Benefit: Operational Excellence – Once the organization is thinking about process management in the same way, processes, risks and controls can be analyzed and improved to drive operational excellence.
Benefit: Customer Satisfaction – With strong process management, monitoring and testing in place, business processes act as intended, ultimately delivering products and services that meet customer needs.
Define – Establish
Standards
Adhere – Sustain Quality
Manage – Administer Routines
PROTIVITI • AGILE RISK MANAGEMENT | 11
Ultimately, the most effective process management will come from a highly automated monitoring and testing program using consistent data, a common methodology, shared tools and effective reporting across all lines of defense, which supports improving business processes and early identification of issues or breakdowns. This is achieved through the establishment of a common process taxonomy, risk and performance standards, and monitoring and testing techniques that are consistently shared, leading to reliable and repetitive routines. Robust measurement is achieved through monitoring key performance indicators and key risk indicators of processes together.
A common first step to becoming more agile in process management is creating routine process maintenance within business units to gather, document and map current processes, risks and controls. As the organization matures, controls should be analyzed to ensure they are appropriately mitigating risks and rationalized to determine their relative strength (i.e., preventive versus detective and automated versus manual). Agile Risk Management places an emphasis on enhancing quality and the automation of controls; the goal is to minimize time spent on the testing of controls while maintaining the same level of assurance and coverage.
An agile organization generates near real-time monitoring and testing data that is routinely analyzed, and issues, process improvements and lessons learned are shared with stakeholders. Potential customer impact is analyzed as part of process monitoring and remediation focuses on process improvements that reduce errors and increase customer satisfaction.
“ TODAY OUR CLIENTS ARE FOCUSED HEAVILY ON THE TESTING ASPECT OF THIS BUILDING BLOCK.
SIGNIFICANT RESOURCES AND SPENDING GO INTO TESTING FOR CONTROL EFFECTIVENESS
AND EFFICIENCY. WHILE THIS IS A KEY COMPONENT OF AGILE RISK MANAGEMENT, PROTIVITI’S
PHILOSOPHY PUTS MORE EMPHASIS ON THE PROCESS MANAGEMENT AND MONITORING THROUGH
RISK AND PERFORMANCE WITH A TECHNOLOGICALLY ENABLED CONTROL ENVIRONMENT. THE
EMPHASIS IS ON STRENGTHENING OVERALL PROCESS HEALTH, ENHANCING THE QUALITY AND
AUTOMATION OF CONTROLS, AND MINIMIZING THE NUMBER OF RESOURCES AND AMOUNT OF
TIME AND MONEY SPENT ON CONTROL TESTING. THIS SHIFTS AN INSTITUTION’S FOCUS FROM
LOOKING FOR BREAKS IN THE PROCESS THROUGH CONTROL TESTING TO MONITORING RESULTS OF
WELL-UNDERSTOOD AND WELL-MANAGED PROCESSES, IDENTIFYING TRENDS AND CHANGES, AND
MITIGATING FUTURE BREAKDOWNS BEFORE THEY HAPPEN.”
CORY GUNDERSON, GLOBAL FINANCIAL SERVICES PRACTICE LEADER, PROTIVITI
“ THROUGH OUR AGILE RISK MANAGEMENT PHILOSOPHY, THE DESIRED BUSINESS OUTCOME ALWAYS
COMES FIRST. BEFORE NEW PROCESSES ARE DEPLOYED AND AS EXISTING PROCESSES ARE REFINED, THE
PRIMARY FOCUS IS ON HOW TO BEST ACHIEVE THE DESIRED BUSINESS RESULT – INCLUDING CUSTOMER
AND CLIENT SATISFACTION – WITH RISK MANAGEMENT INTEGRATED THROUGHOUT THE PROCESS.”
MATTHEW MOORE, MANAGING DIRECTOR, PROTIVITI
12 | AGILE RISK MANAGEMENT • PROTIVITI
WHAT DOES AN AGILE RISK GOVERNANCE FRAMEWORK LOOK LIKE?
Defining risk and documenting management activities in a multitude of frameworks, policies, procedures and manuals can be complex for organizations to implement, which can be further complicated by the need to train employees and ensure operating standards relating to risk management. Governance around managing risk is assumed to be in place, with responsibility and accountability residing with inefficient committees or remaining undefined. Although many firms have made strides in defining their risk appetite for enterprise and material risks in an effort to achieve strong risk management and in response to recent regulatory guidance, these same firms have had difficulty driving and/or cascading the risk appetite to lines of business or products. Finally, by rushing to define roles and responsibilities to ensure a three-lines-of-defense model, institutions have created duplicative activities, inconsistent standards for key risk management activities and methodologies, and gaps in risk management coverage. Many firms could benefit from greatly simplifying their risk governance frameworks, policies, procedures and manuals utilizing Agile Risk Management methods to refine, improve, communicate, implement and train.
Develop clear definitions for material risks, governance, risk appetite and risk management activities in a framework across the three lines of defense.
Develop programs to verify implementation of the framework and ensure that policies and standards across the organization are in alignment with the framework on an ongoing basis.
Assign ownership and accountability of risk management activities, define clear risk reporting and escalation channels, and communicate across the three lines of defense.
Inventory existing policies and procedures, and perform a gap analysis to identify policies and standards that are not aligned to the defined framework.
Convert methodologies, policies and standards to a standardized format, and update to ensure alignment to the framework and risk appetite.
Benefit: Organizational Alignment – Simplified reporting and analysis focused on achieving business objectives within risk appetite limits.
Benefit: Operational Excellence – Faster business processes that create competitive advantages.
Benefit: Customer Satisfaction – Transparent oversight of risks increases business performance and the institution’s reputation among key stakeholders.
Define Assign Assess
Challenge
Align
The development of the framework and the subsequent assignment of accountability is the crux of the effort in getting to Agile Risk Management and should be a continuous process to revise the framework based on evolving practices, regulatory expectations and shifts in the bank’s risk profile.
PROTIVITI • AGILE RISK MANAGEMENT | 13
In an Agile Risk Management organization, the risk governance framework defines material risks and risk appetite, and provides the foundational information to ensure that standards effectively document how the current and emerging risks are identified, measured, mitigated and reported in a clear and simple method, allowing for adherence monitoring. Owners of all risks are identified and accountability exists for actions to manage the risk. There is full role clarity between business and control partners (lines of defense). Finally, the framework is routinely updated based on changes in the organization’s risk profile, strategic plans and/or other external factors.
Taking a closer view of how a risk governance framework is implemented, an Agile Risk Management organization has sufficient and effective training in place to ensure that every employee understands that risk management is part of his or her role. Employees from all parts of the organization are able to consistently and comprehensively describe and articulate how the organization manages risk and their role in doing so. Risk appetite is a commonly utilized term and measured at a meaningful level across the organization that impacts not only strategic decisions but also day-to-day business decisions. When this is performed correctly, the organization is creating and defining a strong risk culture that is enhanced through Agile Risk Management principles.
“ FINANCIAL INSTITUTIONS HAVE INVESTED SIGNIFICANT TIME, EFFORT AND FUNDS OVER THE LAST
SEVERAL YEARS TO INVENTORY RISKS, UNDERSTAND HOW THOSE RISKS ARE MANAGED, DEFINE RISK
APPETITES, AND THEN REPORT HISTORICAL PERFORMANCE AGAINST RISK APPETITE. AGILE RISK
MANAGEMENT TAKES IT TO THE NEXT STEP BY ENSURING RISK AND RISK APPETITE ARE INGRAINED INTO
DECISION-MAKING TO ALLOW FOR A FORWARD-LOOKING VIEW OF THE RISKS FACING AN ORGANIZATION.”
MATTHEW MOORE, MANAGING DIRECTOR, PROTIVITI
“ ROLES AND RESPONSIBILITIES MAY SEEM TRIVIAL BUT ARE CRITICAL TO THE SUCCESS OF RISK
MANAGEMENT AT A FINANCIAL INSTITUTION. RISK MANAGEMENT DOES NOT JUST SIT WITH THE SECOND
LINE OF DEFENSE – IN AGILE RISK MANAGEMENT, THE LINES OF DEFENSE ARE EFFICIENTLY ALIGNED AND
ARE EQUALLY RESPONSIBLE FOR MANAGING RISK AND ADHERING TO THE DEFINED RISK APPETITE.”
PETER RICHARDSON, MANAGING DIRECTOR, PROTIVITI
14 | AGILE RISK MANAGEMENT • PROTIVITI
WHAT DOES AN AGILE RISK MANAGEMENT MODEL LOOK LIKE RELATED TO COMPLIANCE REQUIREMENTS?
Today, financial institutions are governed by a multitude of regulations impacting all lines of business and service offerings. Compliance requirements have become increasingly complicated, yet firms’ management of these requirements has remained disjointed and reactive based on regulatory enforcement actions. Firms often struggle with translating their compliance requirements into applicable business risks. Compliance requirements are not maintained centrally, and policies and procedures governing the management of requirements do not exist.
As a result, firms are increasingly susceptible to noncompliance, as demonstrated by the stream of regulatory enforcement actions seen over recent years – actions that could have been avoided by taking an agile approach to managing the compliance requirements inventory.
Agile Risk Management would incorporate new compliance requirements and changes differently. The compliance organization is forward-looking in the agile state and prepares the business with detailed requirements that are applicable to relevant services and products. New compliance requirements are tracked and reported to the business well before formal release dates, and compliance advises in preparing for business process changes.
In order to maintain the requirements through a unified process, a comprehensive, centralized inventory exists that contains all applicable compliance requirements. Validation is performed on the back end to ensure that all aspects of required changes have been implemented and nothing has slipped through the cracks. In the agile state, new requirements are known, a plan to confirm compliance is implemented and full compliance is validated before updated standards go into full effect.
“ CAN AN ORGANIZATION’S COMPLIANCE FUNCTION RESPOND TO, AND QUICKLY ADDRESS, CHANGES
IN THE REGULATORY AND/OR INDUSTRY RISK MANAGEMENT ENVIRONMENT AS WELL AS CHANGES
TO THE COMPANY’S BUSINESS MODELS? THIS IS THE QUESTION THAT AGILE RISK MANAGEMENT
ANSWERS FOR THE COMPLIANCE REQUIREMENTS INVENTORY. GETTING THIS RIGHT PAYS DIVIDENDS
TO THE ORGANIZATION, NOT ONLY IN COVERAGE BUT ALSO IN MAXIMIZING EFFICIENCY BY LIMITING
UNNECESSARY DUPLICATION AMONG THE VARIOUS MONITORING FUNCTIONS.”
MICHAEL BRAUNEIS, MANAGING DIRECTOR, PROTIVITI
PROTIVITI • AGILE RISK MANAGEMENT | 15
IN CLOSING
Adopting a more efficient and effective risk management framework brings real, demonstrable value to the business. Agile Risk Management aims to provide benefits that are tangible. For example, it can lead to a 10 percent reduction in organizationwide operating costs, which translates into a 3 percent increase in available capital to invest in new or existing businesses. Standardized business processes and collaborative efforts to integrate and eliminate redundant controls could also drive a 25 percent reduction in total hours spent on key risk management activities across lines of defense.
The increased confidence of risk coverage can lead to a 40 percent reduction in the volume of issues and regulatory findings. Finally, spending on risk and compliance costs could be reduced by 25 percent, allowing the redeployment of resources from the second line of defense to the business to help drive growth. These numbers are illustrative, but they demonstrate how the Agile Risk Management philosophy can translate into real monetary value for risk managers and the enterprise.
• 25% reduction in total hours spent on key risk management activities across control partners
• 25% reduction in risk and compliance operating costs
• 40% reduction in volume of issues and regulatory findings
• 10% reduction in organization-wide operating costs
• 3% increase in capital available to invest in new or existing businesses
• 10% increase in revenue growth and record member satisfaction scores
Process Simplification
Increased Confidence of Risk Coverage
Redeployed Second-Line
Resources
Increased Financial Benefits
Product and Channel
Innovation Opportunities
By employing an Agile Risk Management approach, senior managers are better informed and truly understand the risks they are undertaking – or, just as important, they understand the risks they are not taking – thanks to the refinement and strong implementation of fully understood risk management frameworks, which define roles and responsibilities across the organization. The philosophy encourages a strong risk culture that supports continuous improvement and fosters dialogue on strategic decisions and direction for the business.
Agile Risk Management increases transparency and accuracy in reporting and enables executive management to make timely business and risk management decisions. Improved transparency and an aligned organization also increase stakeholders’ confidence, including counterparties, funding providers and rating agencies. Proactive organizations that take the lead and adopt an Agile Risk Management philosophy will better meet the challenges of today’s customers, shareholders and employees, as well as adapt more fluidly to the changing risk and regulatory environment and realize benefits to the bottom line.
16 | AGILE RISK MANAGEMENT • PROTIVITI
HOW PROTIVITI CAN HELP
Protiviti has a record of success helping clients develop Agile Risk Management practices with the responsiveness required for an ever-changing business environment. We work with more than 75 percent of the world’s largest financial institutions, which benefit from our collaborative team approach to resolving today’s risk management challenges. Our professional consultants have varied industry and regulatory backgrounds that enable our unified financial services practice, with the seamless integration of risk and compliance, technology, data and analytics solutions, to develop customized Agile Risk Management approaches to meet tomorrow’s challenges today.
Business, risk, compliance and internal audit groups need to work within an integrated framework with clear accountabilities that will lead to an aligned organization for making sound decisions. We address risk and operational excellence as two sides of the same coin, leading to agility and optimal performance. We understand how customer satisfaction, and in turn growth, have become elusive. While risk management is intended to drive growth, it too often becomes an inhibitor. Our expertise positions you at the forefront of effective risk management with a unique approach to reap both immediate and long-term benefits.
PROTIVITI • AGILE RISK MANAGEMENT | 17
ABOUT PROTIVITI
Protiviti (www.protiviti.com) is a global consulting firm that helps companies solve problems in finance, technology, operations, governance, risk and internal audit, and has served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. Protiviti and our independently owned Member Firms serve clients through a network of more than 70 locations in over 20 countries. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies.
Ranked 57 on the 2016 Fortune 100 Best Companies to Work For® list, Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
Contacts
Cory Gunderson Managing Director +1.212.708.6313 [email protected]
Timothy Long Managing Director +1.212.399.8637 [email protected]
Michael Brauneis Managing Director +1.312.476.6327 [email protected]
Atul Garg Managing Director +1.704.972.9612 [email protected]
Matthew Moore Managing Director +1.704.972.9615 [email protected]
Peter Richardson Managing Director +44 (0)20.7024.7527 [email protected]
Ed Page Managing Director +1.312.476.6093 [email protected]
George Brown Managing Director +852.2238.0486 [email protected]
David Dawson Managing Director +1.647.288.8505 [email protected]
Giacomo Galli Managing Director +39.02.6550.6303 [email protected]
© 2016 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services. PRO-0616-103077
* Protiviti Member Firm
THE AMERICAS
UNITED STATES
AlexandriaAtlantaBaltimoreBostonCharlotteChicagoCincinnatiClevelandDallasDenverFort LauderdaleHouston
Kansas City Los Angeles Milwaukee Minneapolis New York Orlando Philadelphia Phoenix Pittsburgh Portland Richmond Sacramento
Salt Lake City San Francisco San Jose Seattle Stamford St. Louis Tampa Washington, D.C. WinchesterWoodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro São Paulo
CANADA
Kitchener-WaterlooToronto
ASIA-PACIFIC
AUSTRALIA
BrisbaneCanberraMelbourneSydney
CHINA
BeijingHong KongShanghaiShenzhen
INDIA*
BangaloreHyderabadKolkata MumbaiNew Delhi
JAPAN
Osaka Tokyo
SINGAPORE
Singapore
CHILE*
Santiago
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE/MIDDLE EAST/AFRICA
FRANCE
Paris
GERMANY
Frankfurt Munich
ITALY
Milan Rome Turin
THE NETHERLANDS
Amsterdam
UNITED KINGDOM
London
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
SOUTH AFRICA*
Johannesburg
QATAR*
Doha
SAUDI ARABIA*
Riyadh
UNITED ARAB EMIRATES*
Abu Dhabi Dubai